Hmm... I found another miss at sepgsql_ranged_proc_t without
domain_dyntrans_type(). It didn't work well.
Please see the revised one. Thanks,
2012/5/4 Kohei KaiGai <kaigai@xxxxxxxxxxxx>:
> I noticed a miss on postgresql_unpriv_client() interface.
> Please check the newer one.
>
> Thanks,
>
> 2012/3/25 Kohei KaiGai <kaigai@xxxxxxxxxxxx>:
>> This patch provides a new trusted procedure type that allows to
>> switch the security label of database client, with interaction of new
>> sepgsql_setcon() function being supported at upcoming v9.2 release.
>>
>> The original idea was given by Joshua Brindle. The sepgsql_setcon()
>> provides an analogy of dynamic domain transition on operating system.
>> Although we don't give privileges to switch security label on confined
>> domains, but it allows to switch via trusted procedure.
>>
>> The new sepgsql_ranged_proc_exec_t is an entrypoint of
>> sepgsql_ranged_proc_t that has mcssetcats and mlsprocsetsl.
>>
>> We assume its typical usage is sepgsql_setcon() getting invoked
>> via trusted procedure that references secret credential tables at
>> beginning of the database session by connection pooling server.
>>
>> Usage example)
>>
>> (*) The credential table is labeled as "sepgsql_secret_table_t",
>> that holds a pair of username, credential and security context.
>>
>> postgres=# CREATE OR REPLACE FUNCTION client_switch(text)
>> RETURNS bool LANGUAGE sql
>> AS 'SELECT sepgsql_setcon(ucontext) FROM credential
>> WHERE uname = current_user AND ucred = $1';
>> CREATE FUNCTION
>> postgres=# SECURITY LABEL ON FUNCTION client_switch(text) IS
>> 'system_u:object_r:sepgsql_ranged_proc_exec_t:s0';
>> SECURITY LABEL
>> postgres=# CREATE OR REPLACE FUNCTION client_reset()
>> RETURNS bool LANGUAGE sql AS 'SELECT sepgsql_setcon(NULL)';
>> CREATE FUNCTION
>> postgres=# SECURITY LABEL ON FUNCTION client_reset() IS
>> 'system_u:object_r:sepgsql_ranged_proc_exec_t:s0';
>> SECURITY LABEL
>>
>> Then, it shows a scenario to switch the client label via trusted procedure.
>>
>> [alice@iwashi ~]$ psql postgres -q
>> postgres=# SELECT sepgsql_getcon();
>> sepgsql_getcon
>> ----------------------------
>> staff_u:staff_r:staff_t:s0
>> (1 row)
>>
>> postgres=# SELECT * FROM info_c0;
>> ERROR: SELinux: security policy violation
>> postgres=# SELECT * FROM info_c1;
>> ERROR: SELinux: security policy violation
>> -- client have no permission neither info_c0 nor info_c1
>>
>> postgres=# SELECT client_switch('6384e2b2184bcbf58eccf10ca7a6563c');
>> client_switch
>> ---------------
>> t
>> (1 row)
>>
>> postgres=# SELECT sepgsql_getcon();
>> sepgsql_getcon
>> -------------------------------
>> staff_u:staff_r:staff_t:s0:c1
>> (1 row)
>>
>> postgres=# SELECT * FROM info_c0;
>> ERROR: SELinux: security policy violation
>> postgres=# SELECT * FROM info_c1;
>> a | b
>> ---+-----
>> 3 | xxx
>> 4 | yyy
>> (2 rows)
>>
>> -- needless to say, credential table is not visible
>> postgres=# SELECT * FROM credential ;
>> ERROR: SELinux: security policy violation
>>
>> Also see,
>> http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=523176cbf14a3414170a83dd43686c0eccdc61c6
>>
>> Signed-off-by: KaiGai Kohei <kohei.kaigai@xxxxxxxxxxxx>
>> --
>> policy/modules/services/postgresql.if | 32 +++++++++++++++++++++++++++++++-
>> policy/modules/services/postgresql.te | 32 ++++++++++++++++++++++++++++----
>> 2 files changed, 59 insertions(+), 5 deletions(-)
>>
>> diff --git a/policy/modules/services/postgresql.if
>> b/policy/modules/services/postgresql.if
>> index 09aeffa..24e9958 100644
>> --- a/policy/modules/services/postgresql.if
>> +++ b/policy/modules/services/postgresql.if
>> @@ -32,6 +32,7 @@ interface(`postgresql_role',`
>> attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
>>
>> type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
>> + type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t;
>> type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
>> type user_sepgsql_schema_t, user_sepgsql_seq_t;
>> type user_sepgsql_sysobj_t, user_sepgsql_table_t;
>> @@ -45,6 +46,7 @@ interface(`postgresql_role',`
>>
>> typeattribute $2 sepgsql_client_type;
>> role $1 types sepgsql_trusted_proc_t;
>> + role $1 types sepgsql_ranged_proc_t;
>>
>> ##############################
>> #
>> @@ -88,6 +90,10 @@ interface(`postgresql_role',`
>>
>> allow $2 sepgsql_trusted_proc_t:process transition;
>> type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
>> +
>> + allow $2 sepgsql_ranged_proc_t:process transition;
>> + type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
>> + allow sepgsql_ranged_proc_t $2:process dyntransition;
>> ')
>>
>> ########################################
>> @@ -223,7 +229,7 @@ interface(`postgresql_view_object',`
>> ## </summary>
>> ## <param name="type">
>> ## <summary>
>> -## Type marked as a database object type.
>> +## Type marked as a procedure object type.
>> ## </summary>
>> ## </param>
>> #
>> @@ -237,6 +243,26 @@ interface(`postgresql_procedure_object',`
>>
>> ########################################
>> ## <summary>
>> +## Marks as a SE-PostgreSQL trusted procedure object type
>> +## </summary>
>> +## <param name="type">
>> +## <summary>
>> +## Type marked as a trusted procedure object type.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`postgresql_trusted_procedure_object',`
>> + gen_require(`
>> + attribute sepgsql_procedure_type;
>> + attribute sepgsql_trusted_procedure_type;
>> + ')
>> +
>> + typeattribute $1 sepgsql_procedure_type;
>> + typeattribute $1 sepgsql_trusted_procedure_type;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Marks as a SE-PostgreSQL procedural language object type
>> ## </summary>
>> ## <param name="type">
>> @@ -459,6 +485,10 @@ interface(`postgresql_unpriv_client',`
>> type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
>> allow $1 sepgsql_trusted_proc_t:process transition;
>>
>> + type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
>> + allow $1 sepgsql_ranged_proc_t:process transition;
>> + allow sepgsql_ranged_proc_t $1:process dyntransition;
>> +
>> tunable_policy(`sepgsql_enable_users_ddl',`
>> allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
>> allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
>> diff --git a/policy/modules/services/postgresql.te
>> b/policy/modules/services/postgresql.te
>> index 4d71f89..2457d10 100644
>> --- a/policy/modules/services/postgresql.te
>> +++ b/policy/modules/services/postgresql.te
>> @@ -70,6 +70,7 @@ attribute sepgsql_sysobj_table_type;
>> attribute sepgsql_sequence_type;
>> attribute sepgsql_view_type;
>> attribute sepgsql_procedure_type;
>> +attribute sepgsql_trusted_procedure_type;
>> attribute sepgsql_language_type;
>> attribute sepgsql_blob_type;
>> attribute sepgsql_module_type;
>> @@ -122,7 +123,10 @@ type sepgsql_table_t;
>> postgresql_table_object(sepgsql_table_t)
>>
>> type sepgsql_trusted_proc_exec_t;
>> -postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
>> +postgresql_trusted_procedure_object(sepgsql_trusted_proc_exec_t)
>> +
>> +type sepgsql_ranged_proc_exec_t;
>> +postgresql_trusted_procedure_object(sepgsql_ranged_proc_exec_t)
>>
>> type sepgsql_view_t;
>> postgresql_view_object(sepgsql_view_t)
>> @@ -133,6 +137,26 @@ domain_type(sepgsql_trusted_proc_t)
>> postgresql_unconfined(sepgsql_trusted_proc_t)
>> role system_r types sepgsql_trusted_proc_t;
>>
>> +# Ranged Trusted Procedure Domain
>> +#
>> +# XXX - the purpose of this domain is to switch security context of
>> +# the database client using dynamic domain transition; typically,
>> +# used for connection pooling software that shall assign a security
>> +# context at beginning of the user session based on the credentials
>> +# being invisible from unprivileged domains.
>> +#
>> +type sepgsql_ranged_proc_t;
>> +domain_type(sepgsql_ranged_proc_t)
>> +postgresql_unconfined(sepgsql_ranged_proc_t)
>> +allow sepgsql_ranged_proc_t self:process { setcurrent };
>> +role system_r types sepgsql_ranged_proc_t;
>> +optional_policy(`
>> + mcs_process_set_categories(sepgsql_ranged_proc_t)
>> +')
>> +optional_policy(`
>> + mls_process_set_level(sepgsql_ranged_proc_t)
>> +')
>> +
>> # Types for unprivileged client
>> type unpriv_sepgsql_blob_t;
>> postgresql_blob_object(unpriv_sepgsql_blob_t)
>> @@ -404,7 +428,7 @@ allow sepgsql_client_type
>> sepgsql_seq_t:db_sequence { getattr get_value next_val
>> allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };
>>
>> allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr
>> execute install };
>> -allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure {
>> getattr execute entrypoint };
>> +allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure
>> { getattr execute entrypoint };
>>
>> allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
>> allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute };
>> @@ -493,7 +517,7 @@ tunable_policy(`sepgsql_unconfined_dbadm',`
>> allow sepgsql_admin_type sepgsql_view_type:db_view *;
>>
>> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
>> - allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
>> + allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~install;
>> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{
>> execute install };
>>
>> allow sepgsql_admin_type sepgsql_language_type:db_language ~implement;
>> @@ -528,7 +552,7 @@ allow sepgsql_unconfined_type sepgsql_view_type:db_view *;
>> # unconfined domain is not allowed to invoke user defined procedure directly.
>> # They have to confirm and relabel it at first.
>> allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
>> -allow sepgsql_unconfined_type
>> sepgsql_trusted_proc_exec_t:db_procedure ~install;
>> +allow sepgsql_unconfined_type
>> sepgsql_trusted_procedure_type:db_procedure ~install;
>> allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{
>> execute install };
>>
>> allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;
>>
>> --
>> KaiGai Kohei <kaigai@xxxxxxxxxxxx>
>
>
>
> --
> KaiGai Kohei <kaigai@xxxxxxxxxxxx>
--
KaiGai Kohei <kaigai@xxxxxxxxxxxx>
Attachment:
refpolicy-sepgsql-1of4-connection-pooling-support.20120503.patch
Description: Binary data
